System and method for administering physical security access to components of a process control system

ABSTRACT

A system for restricting physical access to at least one component process control system component has a locking device that is integrated with process control system security administration data. The locking device accesses the process control system security data when authenticating a user. Upon authentication of a user for physical access to the particular process control component, the user may directly access the component for which the user is authorized. The system provides tracking of all authenticated users and attempts to access the various control system components.

TECHNICAL FIELD

The present disclosure generally relates to a system for restrictingphysical access to components of a process control system.

BACKGROUND

Process control systems have user authentication that preventsunauthorized users from accessing the system software to make changes todata or parameters, such as set points. However, most of the physicalequipment associated with the process control system is in a singlelocation. When a user is authorized to access this single location, allprocess control system components, including the associatedcommunications equipment, are often available to the user.

In other installations, each component of the control system may belocked in a separate enclosure. The cabinets may all share a common keyor require different keys for access. Therefore, there is a need in theart for improved management of the physical security of process controlsystem components.

SUMMARY

A system for administering physical access to at least one component ofa process control system has an electronic lock for restricting accessto an enclosure containing the at least one component by associating aphysical access permission with an enclosure and providing a first levelof user authentication, a communication API for transmitting open andclose requests between an asset management component of the controlsystem and the electronic lock, an access management component formanaging user roles and associated permissions in the process controlsystem, and wherein the asset management component of the processcontrol system for provides a second level of user authentication bycomparing the electronic lock physical access permission with processcontrol system permissions defined in the access management component todetermine whether a user is granted or denied permission to contents ofthe respective enclosure.

A method for controlling access to at least one physical component of aprocess control system is provided. The method has the following steps:receiving user credentials by an electronic lock installed with anenclosure housing at least one component of the process control system;transmitting the user credentials and lock address from the electroniclock to an asset management component of the process control system;requesting user granted permissions by the asset management componentfrom the process control system access management component; identifyingthe enclosure by using the locking system network address; receivingphysical access permissions of the enclosure by the asset managementcomponent from the electronic lock; validating by the asset managementcomponent whether the physical access permissions are equivalent to theuser access permissions in the control system; and providing access toat least one component inside the enclosure if the user is validated foraccess to the enclosure contents, and preventing access if the user isnot validated for access to the enclosure.

Further, the tracking of issues back to individuals accessing thecontrol system enclosure at the time of an issue with the correspondingat least one physical component of the process control system isprovided.

BRIEF DESCRIPTION OF THE FIGURES

In the accompanying drawings, structural embodiments are illustratedthat, together with the detailed description provided below, describeexemplary embodiments of a system for restricting access to processcontrol components. One of ordinary skill in the art will appreciatethat a component may be designed as multiple components or that multiplecomponents may be designed as a single component.

Further, in the accompanying drawings and description that follow, likeparts are indicated throughout the drawings and written description withthe same reference numerals, respectively. The figures are not drawn toscale and the proportions of certain parts have been exaggerated forconvenience of illustration.

FIG. 1 is a schematic of electronic locks in communication withcomponents of a process control system;

FIG. 2 is a schematic of a system for integrating physical accesssecurity with a process control system in which a user is granted accessto an enclosure housing of at least one process control system physicalcomponent;

FIG. 3 is a schematic of the system of FIG. 2 in which a user is deniedaccess to enclosures containing at least one physical component of aprocess control system; and

FIG. 4 is a schematic of the system of FIG. 3 in which a motor controlcenter is housed in the enclosure and is locked out under a lock/out tagout procedure.

DETAILED DESCRIPTION OF THE ILLUSTRATIVE EMBODIMENTS

With reference to FIG. 1, a system 100 for integrating physical accesssecurity configuration, monitoring and reporting with the accessmanagement component 20 of a process control system 50 is shown. Thesystem 100 has at least one electronic lock 40 or 40 a (FIGS. 2-4), acommunication Application Programming Interface (API) 18 and a processcontrol system 50 having software components such as asset management24, access management 20, user role management 22, maintenancemanagement 26 and an equipment database 38.

The process control system 50 is a distributed control system or anothersystem for managing manufacturing processes such as chemical,pharmaceutical, power generation and power distribution processes aswell any other applicable process. One example of a process controlsystem 50 that may be used with the present disclosure is the 800xAsystem that is commercially available. The process control system 50 hassoftware 30 for managing equipment and processes and hardware in theform of at least one physical component 19 (FIGS. 2-4) such as servers,network equipment, controllers, transmitters, field devices, finalcontrol elements, and wiring components. The control system 50, controlsystem software components 20, 22, 24, 26, 38, and electronic lock 40 or40 a (FIGS. 2-4) have non-transitory computer readable program code forexecution by a processor on a computer readable medium for carrying outthe steps of linking physical security access to an enclosure containingcontents that are accessible to a user according to the job function ofthe respective user and the contents of the enclosure 17. The enclosure17 can be the single location or alternatively located in the singlelocation, the single location being a room in a building. Alternatively,the enclosure 17 can be located in an outdoor environment. Furthermoreone or more additional (secondary, tertiary, etc.) enclosures 17 can belocated or otherwise disposed within an enclosure 17. In someembodiments each of the additional enclosures 17 may also have acomputer component located therein such as a component of a processcontrol system 50. Further, each of the enclosures 17 may include anelectronic lock 40 with a set of permissions associated therewith thatmay be differentiated relative to one another. Each of the computercomponents are accessible only when permissions associated with a user'scredentials correspond with the permissions defined by an electroniclock 40 for the associated enclosure 17.

The asset management component 24 interfaces with the reporting 32,auditing 34, and alarming 36 sub-components of the process controlsystem 50. The asset management component 24 of the process controlsystem 50 has an equipment database 38 for storing the identity of theenclosure, IP (internet protocol) address of the electronic locksecuring the enclosure, enclosure type, and other data about equipmentin an installed base, such as a set of equipment installed across anorganization. By way of non-limiting example, enclosure types arecontroller, termination, networking, servers, motor control, safetysystem, and power distribution enclosures. It should be understood thatother enclosure types are possible depending on the installation.

The access management component 20 in the process control system 50 tiesphysical components such as the enclosure 17, at least one componentinside the enclosure, and the electronic lock 40 to logicalrepresentations 17 a, 40 a of the physical components within the controlsystem 50. The asset management component 24 24 manages the logicalrepresentations of the equipment and is in communication with the userrole management component 22.

The user role management component 22 contains the definitions of thevarious roles in the system 100, such as the permissions to be describedin further detail below. The interface between the asset 24 and userrole management components 22 allows for the synchronization of changesin the user role database management component 22 with access management20 device lists. Further, the asset management component 24 interfaceswith the equipment database 38 to coordinate the grouping of the processcontrol system 50 hardware components 19 with the appropriate accesscontrol device, such as electronic lock 40, and enclosure 17.

User authentication occurs at a first level when a user 60 attempts toaccess an enclosure 17 or cabinet at step 1 shown in FIG. 2. Theenclosure 17 housing at least one control system component 19 has anelectronic lock 40. The user may present credentials to the electroniclock 40 such as an ID card having HID or HID iCLASS proximity, amagnetic strip, key fob, RFID credentials or an embedded chip.Alternatively, the user is authenticated by entering a PIN code, voicerecognition, or biometric information such as that obtained using afingerprint, finger vein, or palm vein scanner for entry into theenclosure 17. It should be understood that the above authenticationmeans are provided by way of non-limiting examples.

The electronic lock 40 can include a memory, a controller, and amicroprocessor circuit to receive the user authentication informationand communicate the identity of the user 60 a to the asset managementcomponent 24 of the process control system 50. In one embodiment, theelectronic lock 40 can transmit the user ID and Network address of theelectronic lock 40 installed with the enclosure 17 to the assetmanagement component 24 of the process control system 50.

An example of an electronic lock 40 suitable for use with the physicalaccess control system 100 of the present disclosure is sold under thetrademarks LockView® 4 CompX eLock® 200 or 300 series available fromCompX® Security Products of Grayslake, Ill. It should be understood thatother electronic locks 40 may be suitable for use with the presentdisclosure and that the above products are provided by way ofnon-limiting example.

The electronic lock 40 can be mounted on or located in proximity to therespective enclosure housing 17 of at least one control system physicalcomponent 19, network switches, network servers and communicationequipment. The control system components 19 may be grouped together,such as a basic controller consisting of a power supply module, acontroller, and local 1/O modules, that are housed in a single enclosure17. Alternatively, a large system has several controllers thatcommunicate over an Ethernet-based control network and are housed in asingle enclosure or multiple enclosures 17. An example of a controllerthat may be employed in the present system 100 is the AC 800M controllerthat is available commercially.

When a user 60 a attempts to access an enclosure 17 using one of theabove mentioned authentication means or another means, the electroniclock 40 then contacts the control system 50 with an open request at step2. Further, at step 3, a communication API 18 associated with theelectronic lock 40 sends an open request over the network 15 utilizing awireless or wired protocol at step 2. By way of non-limiting example,the wireless protocol can be IEEE 802.11, CDMA, or GSM and the wiredprotocol can be wired Ethernet, RS232, RS485, or IEEE 802.3.

As is well known, application programming interfaces, such ascommunication API 18, are often software frameworks or libraries thatinclude specifications for routines, data structures, object classes,and variables. In one embodiment, the communication API 18 is animplementation of a protocol for communication between the assetmanagement component 24 of the process control system 50 and theelectronics of the electronic lock 40.

The open request is sent to the asset management component 24 and theopen request identifies the user ID of the individual attempting toaccess the enclosure 17 and the network address of the electronic lock40 associated with the enclosure 17. By way of non-limiting example, thenetwork address is an IP address, media access control (MAC) address,ESN, MEIM, IMEI, uniform resource locator (URL), telephone number orRS-485 bus ID. The network address of the electronic lock 40 is tied toa physical location in the asset management component 24 of the processcontrol system 50.

At step 4 a, representing the second level of user authentication, theasset management component 24 requests the granted permissions of theuser attempting to access the enclosure 17 from the access managementcomponent 20 of the process control system 50. The hierarchy of useraccess in the process control system 50 has roles at the highest levelof the hierarchy assigned to the respective users. Each role has apermission or set of assigned permissions. By way of non-limitingexample, a user may have the job of network administrator and isassigned the network engineer role.

Further, by way of non-limiting example, the permissions associated withthe network engineer role in the access management component 20 are‘Access Servers,’‘Access Networking,’ and ‘Access Control Enclosure n’.At step 4 b, the asset management component 24 identifies the enclosure17 by the electronic lock 40 network address. The asset managementcomponent 24 identifies the enclosure by accessing the equipmentdatabase 38 which contains the enclosure network address, enclosuretype, and enclosure contents. At step 4 c, the asset managementcomponent 24 retrieves through the API 18 the required accesspermissions of the respective enclosure 17 from the electronic lock 40.In step 4 d of the example of FIG. 2, the enclosure permission is equalto ‘Access Control Enclosure n.’

At step 5, if the ‘Access Control Enclosure n’ permission from theelectronic lock 40 and the control system 50 match in the comparisonbetween granted and required permissions performed by the assetmanagement component 24, such as both the user profile and required roleassociated with the enclosure 17, and ‘AccessControlEnclosure n’permission, an open command is sent to the electronic lock communicationAPI 18 at step 6.

The user/cabinet combination access granted message is sent to the auditsub-component 34 by the asset management component 24 at step 7. Theaudit system 34 records the date, time and enclosure name for whichaccess was granted or denied to a user.

At step 8, the communication API 18 sends an open command to theelectronic lock 40 over the network 15. At step 9, the lock opens andthe user has access to the contents of the enclosure 17. Physical accessto the contents of the enclosure 17 is tied to the particular jobfunction of the user in this manner.

At step 10, the user accesses the enclosure 17 to perform maintenance orvarious other functions. At step 11, the user closes the enclosure 17.At step 12, the electronic lock 40 contacts the asset managementcomponent 24 over network 15 with a closed message. The communicationAPI at step 13 sends the closed message to the asset managementcomponent 24. The closed message contains the user ID and the address ofthe electronic lock 40. At step 14, the user/cabinet combination accesscomplete message is sent to the audit sub-component 34.

The electronic locks 40 installed with the respective enclosures 17 thathouse the network servers and associated hardware are configured withthe required permission of ‘AccessControlEnclosure n,’ are accessible tothe user having the network engineer role. In this manner, theelectronic lock authentication is integrated with the process controlsystem authentication, unifying the user's job function with access tophysical control system components. Typically, the network administratoraccesses the network servers via logging on to the distributed controlsystem. The example of the definition of the roles and permissionsprovided herein is just one way that the access management component 20defines customer specific permissions. It should be understood thatother definitions are available in the access management component 20and that the above is presented by way of non-limiting example.

Another example is a user having the job function of a technician asdepicted in FIG. 4. The technician is responsible for checking wiring,changing out 1/O cards, and generally maintaining the process controlsystem 50.

Using the system 100, access rights can delineate between enclosurehousings and other types of components including but not limited totermination and safety system components. For example, a user isassigned the role of technician in the access management component 20 ofthe process control system 50 and the technician role contains apermission equal to ‘Accessinstrumentation.’

The technician role, as defined in the access management component 20,provides access to enclosures including a marshalling cabinet and atransmitter cabinet. The marshalling cabinet contains the terminationsof all the field wires that can be connected to field hardware, such asa fiedbus. For example, the marshalling cabinet may employ sub-clusteredinput/output (I/O) assemblies connected to their host controllers viacable, fiber-optic or wireless industry-standard fieldbuses. Thetransmitter cabinet contains transmitters that have input/outputcircuitry for coupling to a process control loop.

The asset management component 24 obtains the required permissions forthe enclosure from the electronic lock 40. The asset managementcomponent 24 retrieves the required permission of‘AccessInstrumentation’ from the electronic lock 40. The assetmanagement component 24 compares the required permission for thetechnician role with the permission of the electronic lock anddetermines that the permissions are equivalent. The technician isgranted access to the respective marshalling and transmitter cabinets.

With reference now to FIG. 3, a user authentication sequence is shownwherein a user is denied access to the enclosure 17. The user has thenetwork engineer role with the permission of ‘AccessControlEnclosure n’and the required enclosure permission is ‘AccessTransmitterEnclosure n.’The steps 1-5 are the same as the access granted scenario of FIG. 2described previously.

However, in the present example, at step 5, the user permission of‘AccessControlEnclosure n’ is compared to the enclosure 17 permission‘AccessTransmitterEnclosure n’ by the access management component 20 andthe permissions are determined to be different. At step 6, a deniedcommand is sent by the asset management component 24 to thecommunication API 18. At step 7, the user/enclosure access deniedmessage is sent to the audit system 34.

Further, at step 8, an unauthorized access attempt alarm is sent to thealarm system 36 from the asset management component 24. At step 9, anaccess denied message is sent from the access management component 20via the communication API 18 over network 15 to the electronic lock 40.At step 10, the electronic lock 40 interface displays an access deniedmessage to the user.

With reference now to FIG. 4, the maintenance management component 26 ofthe process control system 50 is depicted along with other processcontrol system components 20, 22, 24, 38 and has the same steps 1-4 asthe process of FIG. 3. The maintenance management component 26 has workorders associated with equipment and components contained incorresponding enclosures 17 as well as information on the lock out/tagout status of each enclosure 17. As is known by one skilled in the art,a lock out/tag out is a safety procedure which is used in industry andresearch settings to ensure that dangerous machines are properly shutoff and not started up again prior to the completion of maintenance orservicing work. The lock out/tag out procedure requires that hazardouspower sources be “isolated and rendered inoperative” before any repairwork is started. Equipment such as motor control centers, switchgearhaving cubicles housing circuit breakers and other electrical equipmenthave energized circuitry in enclosures that are managed by lock out/tagout procedures.

At step 5, (5 a request lockout; 5 b return locked out) the assetmanagement component 24 requests lock out/tag out information from themaintenance management component 26 for the enclosure 17. Themaintenance management component 26 transmits the lock out/tag out dataequal to ‘yes’ to the asset management component 24. The assetmanagement component 24 at step 6, compares the electronic lock 40permissions with the enclosure 17 permissions and determines that theuser is denied or granted access to the enclosure 17. In the exampleshown in FIG. 4, the user would be granted access to the enclosure 17,however, the asset management component 24 additionally checks the lockout/tag out status of the enclosure 17 and determines that the enclosure17 is under a ‘lock out’ status.

At step 7, a denied command is sent to the communication API 18. At step8, a user/enclosure/lockout access denied message is sent to auditsub-component 34. At step 9, an unauthorized access attempt alarm issent to the alarm sub-component 36. At step 10, the communication API 18sends an access denied message to the electronic lock 40 over thenetwork 15. At step 11, the electronic lock 40 displays an access deniedmessage to the user. The access denied message may also state that theenclosure is locked out and refer to the work order number under whichthe enclosure 17 has received a ‘lock out’ or ‘locked out’ status in themaintenance management component 26. In one embodiment, the maintenancemanagement component 26 is part of the process control system 50. Inother embodiments, the maintenance management component 26 is astand-alone system such as an SAP system having a plant maintenance (PM)module or a Maximo system that is interfaced with the process controlsystem 50.

In one embodiment, the enclosure 17 has sub-enclosures and the enclosure17 and sub-enclosures each have their own electronic lock 40. In thatsame embodiment, a job function/role electrician configured in theprocess control system 50 can access the main enclosure 17, but cannotaccess the sub-enclosures and a job function/role of technician would beable to access both the main enclosure 17 that houses circuit breakersand the sub-enclosures housing logic control circuit boards. It shouldbe understood that the main enclosure 17 may be housed in the singlelocation such as a room and that the sub-enclosure is housed inside themain enclosure 17. Each access point of entry for providing physicalaccess to process control equipment and/or other equipment associatedtherewith includes the single location or room having a separateelectronic lock installed at the access point to each of the mainenclosure 17 and sub-enclosure.

In one aspect, the present disclosure discloses a system foradministering physical access to at least one component of a processcontrol system, having an electronic lock for restricting access to anenclosure containing said at least one component, said electronic lockassociating a physical access permission with an enclosure and providinga first level of user authentication; a communication API fortransmitting open and close requests between an access managementcomponent of the control system and the electronic lock; an assetmanagement component for managing user roles and associated permissionsin the process control system; and wherein the asset managementcomponent of the process control system includes a second level of userauthentication wherein the at least one component physical accesspermission as defined in the access management component is comparedwith process control system permissions defined in the asset managementcomponent.

In refined aspect, the system further comprises an audit system fortracking date, time and enclosure name when access is granted to a user;an audit system for tracking date, time and enclosure name when accessis denied to a user; wherein the enclosure is a single location in abuilding; wherein the enclosure has at least one sub-enclosure housedtherein, the sub-enclosure having an electronic lock installed thereonfor restricting physical access to at least one process controlcomponent inside the sub-enclosure; wherein the sub-enclosure includes adifferent permission criteria than the enclosure.

In another aspect, the present disclosure includes a method forcontrolling physical access to at least one component of a processcontrol system, comprising receiving user credentials by an electroniclock installed with an enclosure housing at least one component of theprocess control system; transmitting the user credentials and a lockaddress from the electronic lock to an access management component of athe process control system; requesting user granted permissions by theaccess management component from the process control system assetmanagement component; identifying the enclosure by using the lockingsystem network address; receiving physical access permissions of theenclosure by the asset management component from the electronic lock;validating by the asset management component whether the receivedphysical access permissions are equivalent to the user grantedpermissions in the control system; providing access to the at least onecomponent inside the enclosure if the user is validated for access tothe enclosure contents, and preventing access if the user is notvalidated for access to the enclosure.

In refined aspects, transmitting an unauthorized access attempt alarmfrom the asset management component to an alarm system when a user isdenied access to the enclosure; transmitting a user/enclosure accessdenied message to an audit system when a user is denied access to theenclosure; recording in an audit system the tracking date, time andenclosure name for when enclosure access is granted to a user; recordingin an audit system the tracking date, time and enclosure name whenenclosure access is denied to a user.

In yet another aspect, the present disclosure includes a system forrestricting physical access to at least one process control componentinside an enclosure, the system comprising the enclosure, an electroniclock installed with the enclosure, a process control system having anaccess management component and an asset management component stored ona computer readable medium having computer readable instructions thereonthat when executed by a processor, carry out the following steps:receiving, by the access management system through an applicationprogramming interface, user credentials presented to the electronic lockand the corresponding electronic lock address; receiving, by the assetmanagement system, the user credentials and electronic lock address fromthe access management component; retrieving user role permissionsdefined by the asset management system using the user credentials;retrieving, by the asset management system, required permissions foraccessing the at least one process control component housed in theenclosure; comparing, by the asset management system, the user rolepermission with the required access permissions for the at least oneprocess control component; and transmitting an open request over theapplication programming interface to the electronic lock with the userroles and required permissions; and permitting access if the user rolesare equivalent and denying access if they are not equivalent.

In refined aspects, the steps further comprise: retrieving a lockoutstatus in the asset management system for the enclosure; andtransmitting an open request to the enclosure electronic lock if thelockout status parameter is negative and restricting access to theenclosure if the lockout status parameter is affirmative.

In yet another aspect, the present disclosure includes a systemcomprising: a first enclosure having a first component for a computersystem disposed therein; a first electronic lock configured to controlphysical access to the first component within the first enclosure; afirst set of access permissions associated with the first electroniclock; a second enclosure disposed within the first enclosure, the secondenclosure having a second component for a computer system disposedtherein; a second electronic lock configured to control physical accessto the second component within the second enclosure; and a second set ofaccess permissions associated with the second electronic lock.

In refined aspects, the first set of access permissions is differentfrom the second set of access permissions; user credentials operable todefine access permissions for a user; physical access to the first andsecond enclosures is determined based on comparisons between the accesspermissions of the first and second sets respectively and the accesspermissions defined by the credentials; physical access to the componentin the second enclosure is permitted if the access permission defined bythe user credentials satisfies the permission requirements of the firstand second sets of enclosure permissions; the user credentials operateto permit the user to electronically access the computer componentlocated within the enclosure; additional enclosures with additionalcomputer components disposed within the first and/or the secondenclosures; an audit system operable for logging data related to bothsuccessful and unsuccessful access events into each enclosure; includinga control system; an access management component defined in the controlsystem configured to tie the first enclosure, the first component andthe first electronic lock to a first logical representation within thecontrol system; wherein the access management component of the controlsystem is configured to tie the second enclosure, the second componentand the second electronic lock to a second logical representation.

While the invention has been illustrated and described in detail in thedrawings and foregoing description, the same is to be considered asillustrative and not restrictive in character, it being understood thatonly the preferred embodiments have been shown and described and thatall changes and modifications that come within the spirit of theinventions are desired to be protected. It should be understood thatwhile the use of words such as preferable, preferably, preferred or morepreferred utilized in the description above indicate that the feature sodescribed may be more desirable, it nonetheless may not be necessary andembodiments lacking the same may be contemplated as within the scope ofthe invention, the scope being defined by the claims that follow. Inreading the claims, it is intended that when words such as “a,” “an,”“at least one,” or “at least one portion” are used there is no intentionto limit the claim to only one item unless specifically stated to thecontrary in the claim. When the language “at least a portion” and/or “aportion” is used the item can include a portion and/or the entire itemunless specifically stated to the contrary.

Unless specified or limited otherwise, the terms “mounted,” “connected,”“supported,” and “coupled” and variations thereof are used broadly andencompass both direct and indirect mountings, connections, supports, andcouplings. Further, “connected” and “coupled” are not restricted tophysical or mechanical connections or couplings.

1.-6. (canceled)
 7. A method for controlling physical access to at leastone component of a process control system, comprising: a. receiving usercredentials by an electronic lock installed with an enclosure housing atleast one component of said process control system; b. transmitting saiduser credentials and a lock address from said electronic lock to anaccess management component of a said process control system; c.requesting user granted permissions by said access management componentfrom said process control system asset management component; d.identifying said enclosure by using said locking system network address;e. receiving physical access permissions of said enclosure by said assetmanagement component from said electronic lock; f. validating by saidasset management component whether said received physical accesspermissions are equivalent to said user granted permissions in saidcontrol system; g. providing access to the at least one component insidesaid enclosure if said user is validated for access to said enclosurecontents, and preventing access if said user is not validated for accessto said enclosure.
 8. The method of claim 7, further comprising: h.transmitting an unauthorized access attempt alarm from said assetmanagement component to an alarm system when a user is denied access tosaid enclosure.
 9. The method of claim 7, further comprising: h.transmitting a user/enclosure access denied message to an audit systemwhen a user is denied access to said enclosure.
 10. The method of claim7, further comprising: h. recording in an audit system the trackingdate, time and enclosure name for when enclosure access is granted to auser.
 11. The method of claim 7, further comprising: h. recording in anaudit system the tracking date, time and enclosure name when enclosureaccess is denied to a user.
 12. A method for restricting physical accessto at least one process control component inside an enclosure, thesystem comprising the enclosure, an electronic lock installed with theenclosure, a process control system having an access managementcomponent and an asset management component stored on a computerreadable medium having computer readable instructions thereon that whenexecuted by a processor, comprising: a. receiving, by the accessmanagement system through an application programming interface, usercredentials presented to said electronic lock and the correspondingelectronic lock address; b. receiving, by the asset management system,the user credentials and electronic lock address from the accessmanagement component; c. retrieving the user role permissions defined bythe asset management system using the user credentials; d. retrieving,by the asset management system, required permissions for accessing theat least one process control component housed in the enclosure; e.comparing, by the asset management system, the user role permission withthe required access permissions for the at least one process controlcomponent; f. transmitting an open request over the applicationprogramming interface to the electronic lock with the user role requiredpermissions; and g. permitting access if the user roles are equivalentand denying access if they are not equivalent.
 13. The system of claim12, wherein the steps further comprise: a. retrieving a lockout statusin the asset management system for the enclosure from a maintenancemanagement component; and b. transmitting an open request to theenclosure electronic lock if the lockout status parameter is negativeand restricting access to the enclosure if the lockout status parameteris affirmative.
 14. A system comprising: a first enclosure having afirst component for a computer system disposed therein; a firstelectronic lock configured to control physical access to the firstcomponent within the first enclosure; a first set of access permissionsassociated with the first electronic lock; a second enclosure disposedwithin the first enclosure, the second enclosure having a secondcomponent for a computer system disposed therein; a second electroniclock configured to control physical access to the second componentwithin the second enclosure; and a second set of access permissionsassociated with the second electronic lock.
 15. The system of claim 14,wherein the first set of access permissions is different from the secondset of access permissions.
 16. The system of claim 14 further comprisinguser credentials operable to define access permissions for a user. 17.The system of claim 16, wherein physical access to the first and secondenclosures is determined based on comparisons between the accesspermissions of the first and second sets respectively and the accesspermissions defined by the user credentials.
 18. The system of claim 17,wherein physical access to the component in the second enclosure ispermitted if the access permission defined by the user credentialssatisfies the permission requirements of the first and second sets ofenclosure permissions.
 19. The system of claim 16, wherein the usercredentials operate to permit the user to electronically access thecomputer component located within the enclosure.
 20. The system of claim14 further comprising additional enclosures with additional computercomponents disposed within the first and/or the second enclosures. 21.The system of claim 20 further comprising an audit system operable forlogging data related to both successful and unsuccessful access eventsinto each enclosure.
 22. The system of claim 14 further comprising: acontrol system; an access management component defined in the controlsystem configured to tie the first enclosure, the first component andthe first electronic lock to a first logical representation within thecontrol system.
 23. The system of claim 22, wherein the accessmanagement component of the control system is configured to tie thesecond enclosure, the second component and the second electronic lock toa second logical representation.